Opinion: Better Code Won’t Save Developers in the Short Run

A lot changed in the 4 years between the last two OWASP Top 10 lists. In this end user perspective*, security pro Dino Londis talks about those changes and argues that organizations need to address the most common web application attacks, even as they work to engineer a new generation of secure applications.

According to OWASP, “Insecure software is undermining our financial, healthcare, defense, energy and other critical infrastructure.” In its 2017 OWASP Top 10 Most Critical Web Application Security Risks the authors argue that as software becomes increasingly complex, and connected, the difficulty of achieving application security increases exponentially. The rapid pace of modern software development processes makes the most common risks essential to discover and resolve quickly and accurately.

Incapsula, a web application firewall (WAF) provider, reported that over ninety percent of domains are exposed to web application attacks with the intent to steal information, compromise future visitors or hijack server resources.

Dino Londis works as an Information Security Engineer at a large multinational law firm where he is part of a team responsible for securing and maintaining digital and hard assets.

Web application security as defined by Incapsula is a security process of protecting layer seven of the of the protocol stack against different security threats that exploit vulnerabilities in an application’s code. The most common target for web application attacks are content management systems like WordPress and Joomla.

Trust is Reaching a Tipping Point

While developers improve their security and integrate it into the development cycle – as opposed to bolting it on afterward – they face a increasingly difficult challenge.

The security landscape is hitting a watershed moment. Back in 2013, when the last OWASP Top 10 Most Critical Web Application Security Risks was released, business was just waking up to the importance of security. The Sony hack had not yet occurred, nor had the Office of Personnel Management (OPM) hack, the Experian hack, the Yahoo hack, the WannaCry outbreak or the City of Atlanta hack. The list goes on and on.

Today security – or the lack thereof – is not just on the mind of the CEO. It weighs on the consciousness of the average consumer, who is fast losing faith in institutions’ ability to protect their data. The Facebook breach – which was technically not a breach – was the tipping point. Right after the fact that millions of Facebook users’ information was shared without their knowing – the American Civil Liberties Union (ACLU), Color of Change, Fight for the Future and others are demanding business take a security pledge to protect user information. Among other demands the pledge is “calling on companies…to build proven security into every service, site, and technology.”

There is a rising level of public distrust in online services because consumers believe that the businesses cannot protect their information, or worse – as in the case of Facebook – don’t care to protect their information when it doesn’t align with the the mission of the business.

While certainly under greater scrutiny, behemoths like Facebook, Amazon and Google will weather the sour consumer sentiment. These companies are now so deeply embedded in the culture and have even deeper pockets to buy their way out. But the same isn’t true for smaller players whose brands are not as well known. A breach, or even a simple disruption of service may be enough to push its customers to a competitor.

A customer might find it impossible to exit the Amazon ecosystem but find it easy and comforting to jump from a small site due to a perceived or real security incident. In fact, in today’s environment, where a customer is locked into their ISP, phone carrier and smart phone, they may enjoy a small sense of freedom to express their discontent at these behemoths by switching on the small fry.

Adding another Layer of Protection

While the quest for bullet-proof software continues, developers can immediately place a level of protection at the application layer. Out of the box, a WAF can immediately protect against application layer threats. It inspects traffic long before it gets to the application. Here are the most persistent and pernicious attacks, according to OWASP’s latest list:

SQL Injection

SQL Injection attacks occurs when a perpetrator uses malicious SQL code to manipulate a supporting database into revealing hidden information. When successful, hackers gain access to lists, deletion of tables and unauthorized administrative access. SQL Injection can result in data loss, corruption, or disclosure to unauthorized parties, loss of accountability, or denial of access. Injection can sometimes lead to complete host takeover. The business impact depends on the needs of the application and data.

Cross-site Scripting

After injection vulnerabilities, Cross-site scripting (XSS) is the most prevalent issue in the OWASP Top 10 and is found in around two-thirds of all applications. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

XSS is an injection attack targeting users in order to access accounts, activate Trojans or modify page content. Stored XSS occurs when malicious code is injected directly into an application. Reflected XSS takes place when malicious script is reflected off of an application onto a user’s browser. XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript.

Cross-site Request Forgery (CSRF)

An attack that could result in an unsolicited transfer of funds, changed passwords or data theft. It’s caused when a malicious web application makes a user’s browser perform an unwanted action in a site to which a user is logged on.

Remote File Inclusion

Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts with the goal of . The perpetrator’s goal is to exploit the referencing function in an application to upload malware (e.g., backdoor shells) from a remote URL located within a different domain. If a hacker can inject a file onto a web application server, they can execute malicious scripts or code within the application. They can also use it for data theft or manipulation. The consequences of a successful RFI attack include information theft, compromised servers and a site takeover that allows for content modification. A hacker uses this type of attack to remotely inject a file onto a web application server. This can result in the execution of malicious scripts or code within the application, as well as data theft or manipulation.

Web application security will need to undergo a fundamental change in order to build secure applications from the ground up. Until then, the best defense in the short term for layer 7 attacks is a WAF that can prevent attacks from even reaching your applications. Without that defense, any hiccup in service or security event could cause a significant customer loss.

(*) This post is sponsored by Incapsula, which is a paid supporter of The Security Ledger.